EXTERNAL VERSION 


Information Commissioner’s Office 


Operation LINDEN 
Unsolicited Marketing Communications Strategy Meeting 


ICO: 1 Northumberland Av. Trafalgar Square, London, WC2N 5BW 
23 October 2018, 10:30am-2pm 


Attending: 

Chair: ICO - Andy Curry, Enforcement Group Manager 
ICO: Kerry Smith, Enforcement 

ICO: Stephanie Braley, Intelligence 


ICO: James Rodriguez, Intelligence 
ICO: Sue Scott, Intelligence 


DMA: Mike Lordan, Direct Marketing Association 

DMA: John Mitchison, Direct Marketing Association 

DMA: Michael Sturrock, Direct Marketing Association 

DMC: George Kidd, Direct Marketing Commission 

FCA: Janan Akkad, Financial Conduct Authority 

FCA: Lis Brownbill, Financial Conduct Authority 

FR: Sarah Fox, Fundraising Regulator 

FR: Priya Warner, Fundraising Regulator 

GC: Siobhan Woolmer, Gambling Commission 

IS: Renu Sharma, Insolvency Service 

IS: Alan Tonge, Insolvency Service 

IFB: Claire Haines, Insurance Fraud Bureau 

MRS: Michelle Goddard, Market Research Society 

MRS: Debrah Harding, Market Research Society 

CMRU: Francesca Richards, MOJ Claims Management Regulation Unit 
CMRU: Greg Williams, MOJ Claims Management Regulation Unit 
NTSST: Richard Clarke, National Trading Standards Scams Team 
Ofcom: Madhu Bedhan 

Ofcom: Gavin Daykin 

PSA: Emma Bailey, Phone-paid Services Authority 

PSA: John Hodge, Phone-paid Services Authority 

SRA: Ceri Lloyd, Solicitors Regulation Authority 

TPR: Mark Littler, The Pensions Regulator 

TPR: Paul Sweeny, The Pensions Regulator 

BT: Ian Woodham, British Telecom 


Apologies: 
e Which: Adam Gillett & Colum McGuire 


e NTSIT: Emily Whitehall 
DMA: Arthur Cummings 


Page 1 of 10 


EXTERNAL VERSION 


1CO. 


Information Commissioner’s Office 


Aim of LINDEN 


To capture and share intelligence effectively and identify, plan, deliver and promote 
coordinated activity to maximise enforcement opportunities against individuals and 
organisations responsible for breaching legislation associated with unsolicited marketing 
texts, live and automated calls and silent or abandoned calls. To protect the privacy and 
consumer rights of individuals and to improve compliance. 


Agenda: 


Introductions - For those who have not previously attended (All) 


ICO updates - Including a wrap up of reporting; focusing on a six monthly 
update, recovery actions and what we have planned 


Activity and actions updates - 5 minute update on relevant activity from each 
organisation, as well as proposed actions for the next quarter. (All) 


Ofcom — Update on new powers 

Week of Action - proposals for future proactive work 

GDPR update 

Financial Recovery Unit and directors’ liability 

Operation WICKLOW and HIDA 

International enforcement — update on recent UCENet event (New York) 


AOB (Inc. intelligence requirements and next meeting / host) 


ICO updates 


Enforcement 


So far in financial year 18/19 there have been 12 monetary penalties issued for 
breaches of the Privacy and Electronic Communications Regulations against 
companies making or sending nuisance calls and messages. This is just under half 
of those issued during 17/18. 


Of the 12 penalties, six related to live calls, four to emails and the remaining two 
were related to SMS messaging. 


No penalties have been issued against automated calls as yet this financial year. 
These calls tend to be mass volume with companies’ quick to liquidate or involving 


Page 2 of 10 


EXTERNAL VERSION 


Information Commissioner’s Office 
overseas elements, which can disrupt investigation. 
e Four penalties have been paid, four appealed, two recovered and two await. This is 


a relatively high appeal rate compared to previous years though this is likely due to 
legislative changes (GDPR/DPA 2018). 


Intelligence 

FY 2018/19 (to end of September): 

Concerns reported by type: April 18 - end of September 18 

Live: 27,924 (29,571 = -1,647 / -6%) 

Auto: 30,502 (23,582 = +6,920 / +29%) 

SMS: 7,637 (6,622 = +1,015 / +15%) 

Total: 66,063 (59,775 = +6,288 / +11%) 

A slight increase in nuisance call and message complaints reported to the ICO up until 
the end of September. In line with this both auto and SMS concerns increased year on 
year for the same period. Whilst there was a small decline in live call concerns over this 
time, the comparative gap has been getting smaller as the year progresses and will likely 
continue to do so. 

In recent months in particular, monthly increases have been substantial: 

Q2 in isolation (Jul, Aug & Sept): +35% year on year 

September year on year increase: +107% 

This shows a reversal of the established trend of a yearly decrease, which was seen 
during the previous financial year. Its possible changes in legislation and increased media 
and public awareness of ICO and our work has contributed to this increase in reporting. 
Monthly increase post GDPR: +45% (difference May to June 18) 

Monthly increase post the CMC cold call ban: +63% (difference August to September 18). 
As would be expected, most of September’s increase was seen within the accident claims 


category, which accounted for 38% of all nuisance complaints reported to the ICO that 
month. 


Current trends: 
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Accident claims: as mentioned above, this topic has increased following changes to 
legislation and was mostly responsible for the overall increase in concerns seen in 
September. Many of these calls appeared to relate to the same company with 
reported names being variations on a similar themes. It is believed these calls 
relate to an ongoing ICO investigation and further analysis will be undertaken. 


PPI: these concerns also increased, up by 121%. We have not previously seen the 
increase expected with the PPI deadline on the horizon and whilst this is the largest 
number of concerns we have seen in this category so far this year, this is still a 
year on year decrease of 35% overall. 


Broadband: ISP broadband scam calls continue to be heavily featured within our 
top CLI tables and are referred to Action Fraud as appropriate. September saw the 
largest number of complaints submitted in this area since the categories inception 
and year on year this category has increased by 1845 concerns / 611%. 


Gambling: related SMS messages have historically been one of the highest reported 
topics for this contact type, though this position has been declining over the last six 
months. This is especially true following the completion of sporting events from 
over the summer. Most concerns related to online casinos and betting tips. 


Other SMS: we also continue to see a large amount of premium rate and 


subscription service messages which are referred to the PSA as these fall within 
their remit. 


Activity & Action updates (ALL) 


Market Research Society (MRS) 


Calls often made under the guise of marketing research, though recent numbers of 
complaints have declined. 
Current work focus is on GDRP. 


DMA (TPS) 


Complaints showing a downward trend year on year overall, though there was a 
slight increase in September. 

Continue to make the TPS data more accurate by removing dead numbers and 
routinely reviewing process to ensure no false removals. 

Significant number of new licencing seen post GDPR. 

No spike seen in registrations. 

Continue to support ICO investigations. 


Gambling Commission (GC) 
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Appears in the top three of SMS complaints reported to the ICO. 
Work being done with the ICO on how to identify those responsible. 
Continued work around social responsibility co-division. 


Ofcom 


PSA 


Year on year complaint volumes are down, however there were increases seen 
amongst abandoned and silent calls in August and September. 

Have undergone a strategic rethink. 

Monthly analysis of complaints to identify numbers which cause harm and their 
range holders and to encourage them to stop misuse. 

Engaging with a strategic industry working group of 10 of the largest 
communications providers to develop and implement technical measures to block 
and divert nuisance calls at a network level. Over 500 million numbers blocked. 
Annual Joint Action Plan between Ofcom and ICO to be published in March 2019. 
Working with relevant police agencies to share intelligence and input into processes 
to tackle negative patterns of behaviour by fraudsters. 


Premium rate SMSs often confused with spam and are reported as nuisance 
messages which creates a cross over with this group. 

Adjudications against: Xplosion Ltd 

x3 Cases - x7 Services - Games, Video & Adult 

All involved billed SMS and clickjacking. 

Fines Totalling £1,040,000. 

Significant press interest in Xplosion which resulted in CEO appearing on Radio 4 
“You & Yours” programme. 

Still working on the Direct Buy Initiative to prevent ad misplacement on YouTube 
Vids and Apps which may be attractive to children. Guidance to be issued, followed 
by enforcement where appropriate and proportionate. 


Fundraising Regulator (FR) 


Financial year now starts from 1 September in order to link to when Charity levies 
are due. Due to complete a 16 month report. 

1500 complaints received in 2017-18 for an average of 90 complaints per month, 
peaking in autumn 2017. 

78 investigation decisions made - 81% upheld, 27% not registered or not eligible 
to pay levy. 

Recent drop in complaints following a move to signpost those out of remit 
elsewhere before they are submitted.. 
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Fundraising Preference Service 


Few complaints received but may see a rise towards the end of the year. 

FPS Running for just over a year (July), received just over 21,000 suppressions 
from approx. 7000 individuals, 89% were submitted on behalf of someone else. 
116 charities referred to the ICO. 


Insurance Fraud Bureau (IFB) 


Three current operations that are either based on data vishing, claims farming, 
acting without instructions or all three. 


The IFB data vishing pilot is due to be reviewed at the end of November. The 
participating insurers provided data and the IFB have analysed this. There has been 
a decrease in calls month on month into insurer’s claims centres, however, there 
has been a significant increase across the same period in calls direct to policy 
holders. The data has led to increase intelligence for the three data vishing 
operations. The hope is that the pilot will continue and be extended to other 
insurers. 


Insolvency Service (IS) 


TPR 


4,365 cases and 578 disqualifications (5.7 yrs), 53 High tariff (10yr+). 

45 disclosures to other regulators. 

Looking at: 101 actual investigations and 29 wound up in public interest. 

Usually see a fraudulent scam influx around now, working with TPR and trying to be 
administrator for scheme - 1 now accepted for investigation. 

Cases often involve high yield investments where people have been conned or short 
term fraud cases to get better credit (fake or inflated account). New direction to 
tackle as a linked network rather than just individual cases of short term fraud. 


Seeing cold calls offering pension reviews, often claiming to be the ‘pension 
regulator’ — instances referred to Action Fraud. 

Can take action against scheme itself if identified but not against the caller. 

2 referrals made to ICO. 

Recent joint press release with the FCA including a TV advert to raise awareness. 


CMRU 


Conducted audits of 23 authorised claims management companies engaged in 
direct marketing and / or data, and issued comprehensive advice where breaches 
were identified. 


Page 6 of 10 


EXTERNAL VERSION 


1CO. 


Information Commissioner’s Office 


BT 


Issued warnings to 7 authorised claims management companies for direct 
marketing breaches, mostly in relation to insufficient due diligence when accepting 
data from third parties and unfair processing of data for marketing purposes. 
Progressed formal investigations into 12 authorised claims management businesses 
engaged in non-compliant direct marketing. 

Continued proactive projects focussing on data suppliers and brokers, in addition to 
businesses engaged in electronic marketing to ensure compliance. Continued to 
work closely with the ICO, Ofcom and the Advertising Standards Authority to assist 
with investigations. 

Continued to share intelligence and work closely with the ICO, Ofcom and the 
Advertising Standards Authority to assist with investigations. 

Updated our Advertising and Marketing guidance to include changes on GDPR and 
the cold call ban. 


14k complaints per month post GDPR - 50% increase. 
Seeing a large amount of broadband scams, these were initially automated though 
there are also live calls advising of a ‘fault on line’. 
Seeing a possible reduction in concerns relating to Microsoft issues. 
Pushing pension scam smart campaign to raise awareness - feedback good 
Working towards the upcoming pension cold calling ban will be really useful. 
Enforcement - seeing lots of issues of Phoenixing, working with ICO. 
Concerned there may be a possible shift to email / social media rather than calls in 
the future. 

Scams Team (NTSST) 


With EIRE law enforcement a number of Irish based companies and individuals 
have been found guilty of money laundering and POCA offences (some 3.8 million 
euros restrained). 

87 million items of mail stopped 

Continued roll out of ‘friends against scams’ (147k people) and delivery of mail 
industry training regarding due diligence when dealing with 3" party organisations. 
Continued engagement with UK based entities to deliver this message. 

Current work centred on health and beauty products and supplements being sold 
via the internet. The sales are often scams to entice victims and catch them in 
subscription traps. Seeking assistance of other UK law enforcement. Also working 
with US and Canadian counterparts to progress work. 

Continued publicity with media around our work. Also increased awareness of our 
work to central government and international law enforcement. 

Presenting at international conference in November USA. 
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SRA 


e SPOC for CMRU and IFB re: firms claims industry. 

e Following up referrals from Linden participants and other regulators re: CMCs 
and insurance claims. Working to improve these referrals (evidence req. etc.) 

e Seeing more calls impersonate solicitors or which infer calling on their behalf. 

e Possible breaches by solicitors for submitting the claims and DDs acting w/o 
consent (as a hidden 3" party) for calls. 

e PI still main priority. 

e Holiday sickness concerns are down, with the issue possibly being dealt with. 

e Concerns relating to housing associations (north) and housing disrepairs seem 
to be door to door not cold calling. 


Ofcom: update on new powers 


Ofcom’s new General Conditions, which came into effect on 1 October 2018 and, of 
particular note, have strengthened CLI requirements (now Condition C6). The key 
changes are: 


1. 


The condition has a broader scope and now applies to all providers of Publicly 
Available Telephone Services (PATS) and Public Electronic Communications Services 
over which PATS are provided. This ensures that responsibilities are placed on all 
providers who ae involved in the transmission of a call even where they are not 
providers of public electronic networks. 


. The wording has been amended to make it clearer that CLI facilities must be 


provided unless the provider can demonstrate that it is not technically feasible or 
economically viable to do so and that, where they cannot provide, they must inform 
their customers that CLI facilities are not available. 


Where CLI facilities are provided, providers must ensure that any CLI data includes 
a valid and dialable telephone number which uniquely identifies the caller (as far as 
technically feasible). 


. Providers are now prohibited from levying separate or additional charges for access 


to or use of standard CLI facilities. 


There is a new requirement for CPs to take reasonable steps to identify calls on 
which invalid or non-dialable CLI data is provided and to block those calls (where 
technically feasible). 


. There is also a new provision which requires providers to respect the privacy 


choices of end-users when providing CLI facilities. 
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Ofcom has also amended its numbering rules (now Condition B1.18) to extend powers to 
withdraw telephone numbers when they are used inconsistently with condition B1, the 
Numbering Plan or otherwise misused. 


Week of action 


Proposal for Linden participants to consider more proactive work together on a joint ‘week 
of action’ or communications push. 


Members were asked to email ideas to the ICO with the aim to review these in the New 
Year at the next Operation Linden meeting. 


GDPR update re: PERC (AC) 


e Transitional arrangements for PECR: 

e No amendments required to references to section 55A DPA and enforcement 
powers for PECR. 

e Enforcement under PECR is dealt with in the draft Transitional Provisions, at page 
110 of the government amendments here - 
https://publications. parliament.uk/pa/bills/Ibill/2017-2019/0104/18104.pdf 


e Para 58(1) of that schedule states: 


“58 (1) The repeal of a provision of the 1998 Act does not affect its operation for 
the purposes of the Privacy and Electronic Communications (EC Directive) 
Regulations 2003 (“the PECR 2003”) (see regulations 2, 31 and 31B of, and 
Schedule 1 to, those Regulations).” 


e ICO PDMIT team will also continue to consider DP contraventions - old Principle 1. 
e Rebadged advice and guidance for data subjects ‘Your Data Matters’. 
e Guidance on exemptions and international transfers updated. 


Financial Recovery Unit & Directors Liability update (KS) 


e FRU is responsible for pursuing and managing debt arising from unpaid CMPs. 

e Some investigations are now reaching conclusion 

e Cases referred to Insolvency Service where appropriate; 10 director 
disqualifications. 

e Working with other partnership agencies where appropriate including the FCA and 
Trading Standards teams. 


e Awaiting introduction of Director Liability for PECR breaches, statutory instrument 


to follow later this year allowing penalties to be lodged against individuals rather 
than organisations to tackle prolific offenders and issues of frequent phoenixing. 
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e DCMS director liability consultation is due to be published around the first week of 
June. 
e ICO will engage in a related communications push at this time. 


International Enforcement update (SB) 


UCENet event 


Steve Eckersley (Director of Investigations) and Adam Stevens (Head of Intelligence) 
attended the Unsolicited Communications Enforcement Network w/c 8 October 2018 in 
New York. This was led by the ICO and the US FTC and hosted alongside MAWG (the 
Messaging Mobile and Malware Anti-Abuse Working Group). 


The ICO jointly presented a session with the US FTA and Dutch ACM on lead generation 
and data brokerage as well as providing country updates in relation to unsolicited 
marketing enforcement. 


The Executive Committee (US FTC, UK ICO, Canadian CRTC, Australian ACMA, Korean 
KISA and New Zealand DIA) agreed priorities for the network for the next three years, 
and will be developing a new strategic plan for the network based on the event. 


The strategic plan will focus on the creation of new working groups to further: 


Intelligence and information exchange; 

Communication and engagement; 

Training; and 

Identifying international enforcement cooperation opportunities. 


The aim is to get broader engagement from organisations linked to this work, both from 
the regulatory/enforcement side and from the industry side. Opportunities will be created 
to chair working groups and to provide input as to the direction these should be taken in. 


Any Other Business (All) 


e N/A 


e Offers to host the next meeting in Jan/Feb requested. 
e Session closed thanking participants for attending. 
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